NetFlow technology involves checking the packets traversing a router interface to identify the actual traffic. The high volume of packets and packet rates of traffic on some router links causes the router to use higher CPU and memory during such analysis. Sampling is the solution to be used when flow analytics has to be done on a device.

Sampling defines that instead of every packet, 1 out of N packets (where N is the sampling rate) is captured and sent to NetFlow Analyzer for traffic analytics. Based on the information in that one packet, the traffic pattern for the rest of the packets is constructed.

These sampling packets will considerably decrease the CPU utilization needed to account for NetFlow packets by allowing the majority of the packets to be switched faster because they will not need to go through additional NetFlow processing.

This blog help us to configure sample based Flexible NetFlow export on Cisco Routers. All Cisco router with latest IOS supports Flexible NetFlow export with sampling option.

To configure sample based traditional NetFlow export on the router refer this link and for core switches refer this link.

Flexible NetFlow configuration

Flexible NetFlow configuration is somewhat different from traditional NetFlow export as it needs multiple entities like:

  • Flow Exporter
  • Defining sampler
  • Flow Record
  • Flow Monitor
  • Attaching the monitor to interface

Refer this link to find steps configure Flexible NetFlow without sampling on Cisco router.

Flow exporter configuration

Flow exporter is the one which defines export source and destination which receives the NetFlow packets.

flow exporter ManageEngine

destination

transport udp 9996

data template timeout 60

option sampler-table

Configuring sampling:

sampler NFASample

mode 1 out-of 100

Flow record configuration

Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow “netflow-original” and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields.

The latest Cisco IOS also allow us to define user defined flow record with unique name.

Flow monitor configuration

Flow monitor is the one defines the exporter and record which has to be sent to Analyzing software.

flow monitor ManageEngine

record netflow-original or netflow ipv4 original-input

exporter ManageEngine

cache timeout active 60

cache timeout inactive 15

Associating the monitor to an interface for NetFlow accounting

The flow monitor has to attached to every physical or logical interfaces to capture the traffic and export NetFlow packets.

Interface FastEthernet0/0

ip flow monitor ManageEngine input NFAsample

Hope this blogs help those who want to configure sample-based Flexible NetFlow export on their Cisco routers.

 

References:

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_cpu_friendly_netflow_export.html

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_sanf.html

vpraveenkumar@zohocorp.com
Member Leadership Staff

  1. Praveen Kumar V

    This is flexible NetFlow by default it will take NetFlow Version 9, You can also specify NetFlow V9

  2. Simon

    Which ip flow version should I specify in the router config?